Executive Summary
Between February and September 2025, Russian state-sponsored APT28 (aka BlueDelta, linked to the GRU) launched highly targeted credential-harvesting attacks against individuals in Turkish energy and nuclear agencies, a European think tank, and organizations in North Macedonia and Uzbekistan. The campaign relied on phishing emails with region-specific lures and fake login pages imitating Microsoft OWA, Google, and Sophos VPN portals. Stolen credentials were exfiltrated via disposable internet services, and victims were seamlessly redirected to legitimate sites to avoid suspicion, evading typical detection methods. Notably, attackers leveraged legitimate PDF documents themed around high-profile geopolitical events as decoy content.
These incidents underscore the increasing sophistication and operational focus of nation-state phishing campaigns, with attackers rapidly exploiting current geopolitical tensions to credibly target sensitive sectors. Repeated use of trusted public infrastructure for data exfiltration further complicates defense and detection efforts.
Why This Matters Now
This campaign highlights a sharp rise in state-sponsored credential theft targeting critical energy, policy, and government entities, exploiting trusted communications and real-world events. As nation-state attackers leverage quickly changing TTPs and public web infrastructure, organizations in sensitive sectors must urgently harden defenses around identity, access, and east-west threat visibility.
Attack Path Analysis
APT28 delivered phishing emails containing tailored lure documents and links to spoofed login pages, enabling initial compromise through harvested credentials. Stolen credentials potentially granted access to user accounts or VPNs, but privilege escalation beyond standard access was not explicitly observed. No direct evidence of lateral movement within target environments, though it is possible with valid credentials. Command and control was achieved by covertly transmitting harvested credentials via trusted services such as webhook.site and ngrok. Exfiltration was executed through the same channels, quickly removing stolen data from the victim environment. The impact included unauthorized access and potential information gathering, with limited evidence of further disruptive activity.
Kill Chain Progression
Initial Compromise
Description
Phishing emails with malicious links redirected victims to fake login pages styled as common services, tricking users into entering their credentials.
Related CVEs
CVE-2023-23397
CVSS 9.8A critical elevation of privilege vulnerability in Microsoft Outlook that allows attackers to obtain NTLM hashes by sending specially crafted emails, leading to unauthorized access.
Affected Products:
Microsoft Outlook – 2013, 2016, 2019, Office 365
Exploit Status:
exploited in the wildCVE-2017-6742
CVSS 8.8A vulnerability in the SNMP subsystem of Cisco IOS and IOS XE Software that allows an unauthenticated, remote attacker to cause a reload of an affected device or execute code with elevated privileges.
Affected Products:
Cisco IOS – 12.0, 12.2, 12.4, 15.0, 15.1, 15.2, 15.3, 15.4, 15.5, 15.6
Cisco IOS XE – 2.1, 2.2, 2.3, 2.4, 2.5, 2.6, 2.7, 2.8, 2.9, 2.10, 2.11, 2.12, 2.13, 2.14, 2.15, 2.16
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
The above MITRE ATT&CK techniques reflect the mapped tactics, techniques, and procedures inferred from this credential-harvesting campaign. Techniques may be expanded with additional enrichment in future iterations.
Phishing: Spearphishing Attachment
Phishing: Spearphishing Link
User Execution: Malicious Link
Gather Victim Identity Information: Email Addresses
Email Collection: Remote Email Collection
Modify Authentication Process: Web Portal Capture
Adversary-in-the-Middle: Adversary-in-the-Middle with Phishing
Exfiltration Over C2 Channel
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Secure Authentication for Users and Administrators
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Art. 9
CISA Zero Trust Maturity Model 2.0 – Phishing-Resistant Authentication, Adaptive Access
Control ID: Identity Pillar
NIS2 Directive – Risk Management Measures and Reporting
Control ID: Article 21
GDPR – Security of Processing
Control ID: Art. 32
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Oil/Energy/Solar/Greentech
Direct targeting of Turkish energy/nuclear research agencies by Russian APT28 credential harvesting campaigns exposes critical infrastructure vulnerabilities requiring enhanced authentication controls.
Government Administration
Government communication networks face sustained GRU intelligence operations using sophisticated phishing techniques, compromising official credentials and requiring zero trust segmentation defenses.
Think Tanks
European think tanks targeted through spoofed VPN portals and policy document lures, exposing research organizations to state-sponsored credential theft and data exfiltration.
Defense/Space
Military organizations in North Macedonia targeted via fake password reset pages, indicating defense sector exposure to Russian intelligence credential harvesting operations.
Sources
- Russian APT28 Runs Credential-Stealing Campaign Targeting Energy and Policy Organizationshttps://thehackernews.com/2026/01/russian-apt28-runs-credential-stealing.htmlVerified
- APT28 Exploits Known Vulnerability to Carry Out Reconnaissance and Deploy Malware on Cisco Routershttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-108Verified
- APT28 Cyberattacks Using the CVE-2023-23397 Vulnerabilityhttps://www.rnbo.gov.ua/files/NKCK/2023/APT28%20cyberattacks%20using%20the%20CVE-2023-23397%20vulnerability%20-%20report.pdfVerified
- Russia's Fancy Bear Launches Mass Credential Collection Campaigns Exploiting Outlook and WinRAR Flawshttps://www.csoonline.com/article/1251293/russias-fancy-bear-launches-mass-credential-collection-campaigns-exploiting-outlook-and-winrar-flaws.htmlVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying Zero Trust segmentation, workload isolation, robust egress security, and continuous threat detection could have constricted the kill chain, limiting credential abuse and exfiltration while increasing the likelihood of detecting anomalous access or outbound credential leakage.
Control: Cloud Firewall (ACF)
Mitigation: Outbound web traffic to known or suspicious phishing infrastructure would be prevented or alerted.
Control: Zero Trust Segmentation
Mitigation: Limits the attacker’s movement by enforcing identity-based, least privilege network policies.
Control: East-West Traffic Security
Mitigation: Detects and blocks unauthorized east-west traffic between workloads.
Control: Inline IPS (Suricata)
Mitigation: Prevents or alerts on signature matches of known C2 channels and credential transfer.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound exfiltration attempts are blocked or logged according to strict policy controls.
Early alerts on abnormal login behaviors and credential use enable rapid containment.
Impact at a Glance
Affected Business Functions
- Email Communications
- Network Security
- User Authentication
Estimated downtime: 5 days
Estimated loss: $500,000
Potential exposure of sensitive corporate communications, user credentials, and internal network configurations due to credential harvesting and unauthorized access.
Recommended Actions
Key Takeaways & Next Steps
- • Deploy adaptive egress controls and cloud firewalls to block outbound access to known phishing and C2 platforms.
- • Implement zero trust segmentation to ensure compromised credentials cannot traverse or escalate privileges beyond their minimal required access.
- • Monitor and enforce east-west traffic security to detect and contain potential lateral movement stemming from credential abuse.
- • Leverage inline IPS and threat detection tools to rapidly identify and disrupt exfiltration or C2 channels leveraging common external services.
- • Regularly audit IAM, VPN, and SaaS authentication flows for suspicious access patterns and integrate automated anomaly response.
